Release: 1. BSBCON601B Develop and maintain business continuity plans

BSBCON601B Develop and maintain

business continuity plans

BSBCON601B Develop and maintain business continuity plans

Modification History

Release Comments

Release 1 This version first released with BSB07 Business Training

Package version 6.0.

Revised unit. Required knowledge updated to incorporate current Australian Standards.

Replaces BSBCON601A Develop and maintain business continuity plans

Unit Descriptor

This unit describes the performance outcomes, skills and knowledge required to work within the business continuity framework to develop and implement business continuity plans in order for an organisation to manage risk and ensure business resilience when faced with a disruptive event.

Application of the Unit

This unit is for individuals working in positions of authority who are approved to implement change across the division, business area, program area or project area.

This unit addresses the knowledge and processes necessary to develop and maintain business continuity requirements. Business continuity awareness and planning help the organisation to identify barriers and/or interruptions, and to determine how the organisation will achieve critical business objectives (even at diminished capacity) until full functionality is restored. The focus is on risk and vulnerability assessment, business impact assessments, and business continuity and communication plans.

Licensing/Regulatory Information

No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.

Pre-Requisites

Employability Skills Information

Elements and Performance Criteria Pre-Content

Element Performance Criteria

Elements describe the essential outcomes of a unit of competency.

Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the required skills and knowledge section and the range statement. Assessment of performance is to be consistent with the evidence guide.

Elements and Performance Criteria

vulnerability assessments

1.1 Identify the relationship between corporate risk and the

organisation’s business continuity management framework

1.2 Analyse and determine internal and external risk context by collecting information that relates to the organisation’s priorities, operations and environment

1.3 Analyse and identify potential internal and external sources of disruption to the organisation’s priorities, operations and

environment 2. Develop and report on

the business impact assessment/s

2.1 Identify the organisation’s critical business functions and their dependencies and interdependencies, and analyse and evaluate risks through the business impact assessment/s 2.2 Develop risk and disruption scenarios through the business impact assessment/s

2.3 Validate risk and disruption scenarios through the business impact assessment/s

2.4 Analyse, validate and report on the outcomes of the business impact assessment/s to management

3. Develop, implement and report on risk treatments

3.1 Develop and implement risk treatments 3.2 Participate in risk treatment review

3.3 Report on risk treatment review to management and relevant appropriate personnel

3.4 Update risk treatment review in line with feedback provided by relevant personnel

4. Determine

interdependencies and develop response strategies

4.1 Develop the organisation’s emergency response, continuity

and recovery strategies

4.2 Consult and seek endorsement on the organisation’s emergency response, continuity and recovery strategies from management and other appropriate personnel

4.3 Identify and manage synergies and conflicts in resource availability and access in conjunction with management

4.4 Coordinate the organisation’s emergency response, continuity and recovery strategies

5. Establish the business continuity plan

5.1 Consult relevant personnel and seek support for the development of the organisation’s business continuity plan/s 5.2 Ensure content of business continuity plan is comprehensive and meets, where applicable, the requirements of regulations, standards, industry practice and geographical dispersion

5.3 Document and analyse feedback received through consultation and finalise business continuity plan

5.4 Demonstrate accountability for the organisation’s business continuity plan/s

6. Establish the communication plan within the organisation’s planning framework

6.1 Identify stakeholders and determine objective and scope of

communication plan for periods before, during and after

disruptions occur

6.2 Determine organisation’s communication capabilities in line with objectives and scope, and identify gaps and options for meeting shortfalls

6.3 Develop and implement across the organisation, appropriate risk and incident monitoring, reporting and escalation processes 7. Deliver business

continuity professional development activities

7.1 Promote the application of the business continuity

management framework and plan to all relevant personnel on an ongoing basis

7.2 Provide staff with appropriate information relating to the cyclical review process of the business continuity management plan

7.3 Conduct business continuity management plan exercises in line with the organisation’s policies and procedures

7.4 Conduct post exercise debriefs, complete post exercise reviews and update business continuity strategies and plans as required

7.5 Manage and record staff learning and development in relation to the business continuity management framework in accordance with organisational requirements, and framework policies and procedures

7.6 Report on the outcomes of staff learning and development, and business continuity framework exercises to relevant personnel

Required Skills and Knowledge

This section describes the skills and knowledge required for this unit.

Required skills

 analytical skills to analyse relevant workplace information and data, and to make observations and connections between workplace tasks and interactions in relation to people, activities, equipment, environment and systems

 communication, teamwork and leadership skills to:

 read and interpret an organisation’s reports, policies and procedures in order to

develop business continuity management plan/s

 effectively communicate and work with a diverse range of individuals at all levels during and after a disruptive event

 effectively negotiate the trust and confidence of colleagues and stakeholders

 effectively undertake detailed business impact assessment activities across the spectrum of the organisation’s stakeholders

 information technology skills to effectively respond to information technology issues

 initiative and enterprise skills to generate a range of options in response to a disruptive event

 planning and organisational skills to participate in or to establish the organisation’s

improvement and planning processes

 presentation skills to develop and present reports or presentations that deal with complex ideas and concepts, and to articulate information and ideas clearly

 research skills to undertake the necessary background research for risk and vulnerability assessment, business impact assessment and business continuity plan

 risk management and project planning skills to effectively develop and execute potentially complex business continuity planning strategies and plans

 stress management skills to work effectively and positively under the pressure of a major incident or situation within the workplace.

Required knowledge

 AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines

 Australian/New Zealand Standard Handbook AS/NZS 50:50 2010 Business Continuity: managing disruption related risk

 organisation’s policies and procedures, including business continuity strategies

 overall operations of the organisation, including existing data and information systems, paper and digital recordkeeping systems

 past and current internal, external and industry disruptions

 relevant legislation and regulations that impact on business continuity, such as OHS, environment, duty of care, contract, company, freedom of information, industrial relations, emergency management, privacy and confidentiality, due diligence, records management

 types of available insurance, what is required and insurance providers in relation to business continuity planning

Evidence Guide

The evidence guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the following is essential:

 knowledge of the organisation’s overall business

continuity framework and how it interrelates with the critical business functions

 development and implementation of a business continuity plan that includes appropriate links to emergency

response, disaster recovery plans and detailed continuity and recovery strategies

 effective management of the communication and staff development activities relating to business continuity risk and vulnerability assessment.

Context of and specific resources for assessment

Assessment must ensure:

 access to workplace business continuity documentation

 access to feedback from teams and management.

Method of assessment A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

 direct questioning combined with review of portfolios of evidence and third party workplace reports of on-the-job performance by the participant

 work based projects or case studies

 observation of presentations

 oral or written questioning to assess knowledge of

business continuity management framework and business continuity plans

 review of documented critical success factors, and goals or objectives for area

 review of risks prioritised for risk treatment and disruption scenarios

 evaluation of business impact assessment

 evaluation of business continuity and communication strategies and plans.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended.

Range Statement

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Corporate risk may include:  electronic information security

 espionage/commercial confidence/sensitivity breach

 governance

 insolvency

 major fraud

 professional negligence – threat of major legal action against directors.

Organisations may include:  commercial enterprises

 community

 government

 non-commercial enterprises

 not-for-profit

 religious organisations.

Risk may include:  aeronautical

 armed hold-up

 biological

 chemical

 civil disturbance

 disability/death of key person

 economic  electronic  erosion  explosion  fire  fraud  hazardous materials  industrial accident  infrastructure failure  market failure  natural disaster

 operational collapse – insolvency

 pandemic

 pollution

 radiological/nuclear

 robbery and/or major vandalism

 sabotage  structure failure  terrorism  transport accident  war  water  weather/climate change.

Critical business functions

may include:

 business objectives

 customer service functions

 financial systems

 human resource functions

 management

 OHS

 organisational structure

 payroll

 records management.

Dependencies may include:  office furniture

 office supplies

 personnel

 support activities

 systems and applications

 vital records.

Interdependencies may

include:

 communications

 outsourcer and third party suppliers

 power  sanitation  security  transport  water. Business impact

assessment/s may include:

 breach/reduction of customer service standards

 cost/impact on existing and/or increased finance

 escalating losses over time

 impact of loss of business/resources

 loss of revenue

 potential fines/penalties/litigation costs

 reputation/brand damage

 statutory/regulatory breaches.

Disruption scenarios may

include:

 damage to/loss of critical infrastructure

 equipment and other assets – unavailable

 litigation

 loss of access to building

 loss of access to precinct

 loss of access to records and organisational information systems

 loss of building

 loss of communications – voice

 loss of communications – data

 loss of distribution chain

 loss of information technology systems

 loss of number and availability of staff, including key staff

 not meeting legal and business requirements

 partnership dependencies – denial of access to goods and services from suppliers, outsourcers.

Management may include:  chief executive officer

 company board

 delegated business continuity management director/officer

 department managers

 directors

 supervisors.

Risk treatment may include:  activating evacuation plan

 activating lockdown procedures

 activating workplace emergency management plan

 personnel working from home

 relocation of facilities

 temporarily suspending activities

 transferring activities.

Emergency response strategies may include:

 contact lists to report incident/s

 documentation/reporting/recording procedures

 evacuation plan

 location of evacuation assembly point

 lock down procedures

 names and responsibilities of wardens

 personnel instructions for evacuation

 process for accounting personnel

 workplace emergency management plan.

Continuity strategies may

include:

 action required to resume critical business activities to pre-disruption capacity

 counselling

 critical business activities and prioritisation of when they can/need to resume

 list of resources

 relocation to alternative worksite

 resource replacement

 treatment for critical business activities.

Recovery strategies may

include:

 customer confidence/relationship management

 damage assessment

 market re-establishment

 process for assessing loss and filing insurance claims

 relocation of business to original location

 salvage and restoration of records, infrastructure and premises.

Resources may include:  critical written and/or electronic records

 emergency services

 facilities and/or accommodation

 finances

 information technology infrastructure and applications management

 insurance

 personnel

 plant and equipment

 premises

 telecommunications.

Business continuity plan/s

may include:

 introduction

 organisational details

 objectives

 purpose

 critical business functions

 assumptions

 processes

 activation and stand down

 responsibility

 version control and maintenance

 operational requirements

 critical success factors

 interdependencies

 outage times

 compliance

 people

 roles and responsibilities

 contact details

 continuity arrangements

 accommodation

 resources

 workarounds and alternate solutions

 continuity management tasks

 communications

 other plans

 checklists

 maps and drawings.

Stakeholders may include:  chief executive officer

 company board  customers  directors  families/next-of-kin  funders  local community  media  personnel  professional bodies  shareholders

 relevant government minister/s and department/s

 regulators

 sponsors

 suppliers.

Communication plan may

include:

 accessibility

 assumptions

 audience

 boundaries

 business continuity terminology

 capability

 equipment

 hierarchical organisational chart of internal and external emergency services personnel/delegates

 mode

 monitoring procedures

 radio silence

 reporting and recording procedures

 sensitivities.

Exercises may include:  drills

 modelling

 planned walkthroughs

 scenario planning and exercising

 simulated exercises

 testing.

Unit Sector(s)